Is this keeping data secure not a concern with internal storage? i.e. no need to encrypt it because other apps are not allowed access?

Seems this solution is of limited use since it relies on an SD card. Android devices frequently lack an SD card slot, so an app relying on that for security would be shafted on some of the most popular devices (eg. Nexus series).

Is this keeping data secure not a concern with internal storage? i.e. no need to encrypt it because other apps are not allowed access?

Seems this solution is of limited use since it relies on an SD card. Android devices frequently lack an SD card slot, so an app relying on that for security would be shafted on some of the most popular devices (eg. Nexus series).

It's been my experience that you can usually just reference the SD card anyways because the system pretends that there is one on the internal storage. Either way, it shouldn't be hard to use internal storage as fallback. The reason this is primarily a concern for SD cards is that if you were going to completely ignore them, you would be better off just writing to the app's private folder in the first place. In order to allow the app to store the extra data on the SD card if it is available, they need to store it in a publicly accessible area either way.

Can a guru address if this is an issue for other operating systems? IOS, BB10, WP8.

In linux, you would just handle this, at least at the most basic level, with file ownership. Perhaps make each app a different user.

In iOS, every application is sandboxed and cannot write files (or read) outside of its own sandboxed directory. Accessing the contacts, photos and other things need to go through a trusted system service (which prompts the user for access, and if an app isn't allowed, will return an empty result set). iOS does symbolically link certain things into the application sandbox that is deemed "writable" but it's a very select amount of stuff.

Also, escaping the sandbox has been (to this point) pretty difficult, and not happened in any AppStore apps (to my knowledge). A jailbreak does everything to negate most of these protections.

Can a guru address if this is an issue for other operating systems? IOS, BB10, WP8.

In linux, you would just handle this, at least at the most basic level, with file ownership. Perhaps make each app a different user.

In iOS, every application is sandboxed and cannot write files (or read) outside of its own sandboxed directory. Accessing the contacts, photos and other things need to go through a trusted system service (which prompts the user for access, and if an app isn't allowed, will return an empty result set). iOS does symbolically link certain things into the application sandbox that is deemed "writable" but it's a very select amount of stuff.

Also, escaping the sandbox has been (to this point) pretty difficult, and not happened in any AppStore apps (to my knowledge). A jailbreak does everything to negate most of these protections.

I would like to point out that Android provides this same type of internal folder access as well, it's just no the default. The additional complications of public files is mostly due to the extra construct (SD cards), which iOS doesn't support in the first place. Though the fine tuned permissions to contacts, photos, etc is definitely superior in iOS. And root seems to just be easier to get on Android then in iOS (Jailbreaking), so these measures are more easily defeated in Android.

I don't get how Facebook would use it. The internal memory is already private but limited so they use the sd to get more space but what data would they store in it? The only thing I can think of is a cache, but for that there is already a system in place and even then it shouldn't be that big...

Can a guru address if this is an issue for other operating systems? IOS, BB10, WP8.

In linux, you would just handle this, at least at the most basic level, with file ownership. Perhaps make each app a different user.

In iOS, every application is sandboxed and cannot write files (or read) outside of its own sandboxed directory. Accessing the contacts, photos and other things need to go through a trusted system service (which prompts the user for access, and if an app isn't allowed, will return an empty result set). iOS does symbolically link certain things into the application sandbox that is deemed "writable" but it's a very select amount of stuff.

Also, escaping the sandbox has been (to this point) pretty difficult, and not happened in any AppStore apps (to my knowledge). A jailbreak does everything to negate most of these protections.

I would like to point out that Android provides this same type of internal folder access as well, it's just no the default. The additional complications of public files is mostly due to the extra construct (SD cards), which iOS doesn't support in the first place. Though the fine tuned permissions to contacts, photos, etc is definitely superior in iOS. And root seems to just be easier to get on Android then in iOS (Jailbreaking), so these measures are more easily defeated in Android.

Yeah, and Android (for the most part) is less secure. Gaining root (even on "locked" devices) is usually worked out before a device releases, or at least within the first week of a new device. By comparison, iOS 7, which was released in early fall, was only publicly "rooted" (by Android verbiage) about 1 month ago, and some of the exploits used have already been blocked in iOS 7.1.

I think the ignored question here is, why the hell is facebook of all companies doing this? What are they doing releasing open source android tools?? That looks to me to be far off the radar of being anything useful for them.

I think the ignored question here is, why the hell is facebook of all companies doing this? What are they doing releasing open source android tools?? That looks to me to be far off the radar of being anything useful for them.

You'd be fairly incorrect. Facebook does release a decent amount of open source things, not specifically for Android, but they've released basically all their work on a PHP compiler, along with some Javascript libraries and other little goodies.

Plus, a simple encryption method isn't really going to give them a giant competitive edge, so why not open it up for some good will?

Who uses Conceal?Facebook currently uses Conceal to store image files on SD cards. Conceal helps Facebook protect user's private data by encrypting data stored on SD cards while allowing users to move some of the data storage needs of the app to the expandable SD card.

I think the ignored question here is, why the hell is facebook of all companies doing this? What are they doing releasing open source android tools?? That looks to me to be far off the radar of being anything useful for them.

Facebook contribute quite a lot of code back to open source projects. Check out their open-source page, and Github repo for some of their projects.

Note that doesn't include code they have contributed to, but not forked (Hadoop, PHP, etc).

The Facebook application at the time of installation on Android mobile phones seeks certain permissions and the updated version now asks users to allow it "Read your text messages (SMS or MMS)".

The social media's logic behind seeking access to SMS is that "if you add a phone number to your account, this allows us to confirm your phone number automatically by finding the confirmation code that we send via text message".

The updated Facebook application now wants to "Read calendar events plus confidential information" which it justifies as it is required to allow "the app to show your calendar availability (based on your phone's calendar) when you're viewing an event on Facebook".

Can a guru address if this is an issue for other operating systems? IOS, BB10, WP8.

In linux, you would just handle this, at least at the most basic level, with file ownership. Perhaps make each app a different user.

Actually, I believe you're mistaken. File ownership and permissions do absolutely nothing to prevent anyone from reading your data if (a) the computer is turned off, and the drive is mounted from a bootable CD or Flash drive, or (b) if someone else on the system has any kind of administrator/root/superuser permissions.

[To illustrate the difference, for example, on Windows, you can allow an account permissions as a "System Backup Administrator", and that account will be able to *access* the files of all other users on that computer -- in order to make backups of them -- but will not be able to *decrypt* anything the other users have encrypted (with Windows' built-in Encrypted File System).]

*That* is why proper encryption is so important, IMHO. File ownership permissions are a completely inadequate way to keep your data private on any digital storage media.

I think the ignored question here is, why the hell is facebook of all companies doing this? What are they doing releasing open source android tools?? That looks to me to be far off the radar of being anything useful for them.

You'd be fairly incorrect. Facebook does release a decent amount of open source things, not specifically for Android, but they've released basically all their work on a PHP compiler, along with some Javascript libraries and other little goodies.

Plus, a simple encryption method isn't really going to give them a giant competitive edge, so why not open it up for some good will?

EDIT: I realized I made a terrible grammatical error!

I think the question is more: Why is Facebook releasing a tool to protect your privacy?

I think the ignored question here is, why the hell is facebook of all companies doing this? What are they doing releasing open source android tools?? That looks to me to be far off the radar of being anything useful for them.

You'd be fairly incorrect. Facebook does release a decent amount of open source things, not specifically for Android, but they've released basically all their work on a PHP compiler, along with some Javascript libraries and other little goodies.

Plus, a simple encryption method isn't really going to give them a giant competitive edge, so why not open it up for some good will?

EDIT: I realized I made a terrible grammatical error!

I think the question is more: Why is Facebook releasing a tool to protect your privacy?

And I will ask the question: why not? It takes very little work on their part and gives them more developer good will. Seems like a win win for them.

Connect and disconnect from Wi-Fi is another "group of permissions", allowing the app to tell when it has a wifi connection, and so only preload news feeds when on wifi.

No, to monitor the network state all you need is "view network connections" (ACCESS_NETWORK_STATE) unless you need more detailed information about the wifi connection in which case you use "view Wi-Fi connections" (ACCESS_WIFI_STATE).

The permission Facebook requests is so that it can change what access point you are connected to and do other changes to your Wi-Fi configuration.

It's certainly nice that they release a high-performance encryption library, but the same things could be achieved using BouncyCastle relatively easily (as pointed out in the article) - just not as fast.

People who do bad encryption will continue to do bad encryption, because they don't know how to recognise bad encryption.

I think the ignored question here is, why the hell is facebook of all companies doing this? What are they doing releasing open source android tools?? That looks to me to be far off the radar of being anything useful for them.

You'd be fairly incorrect. Facebook does release a decent amount of open source things, not specifically for Android, but they've released basically all their work on a PHP compiler, along with some Javascript libraries and other little goodies.

Plus, a simple encryption method isn't really going to give them a giant competitive edge, so why not open it up for some good will?

EDIT: I realized I made a terrible grammatical error!

I think the question is more: Why is Facebook releasing a tool to protect your privacy?

And I will ask the question: why not? It takes very little work on their part and gives them more developer good will. Seems like a win win for them.

Furthermore, the adoption of best practice benefits every mobile developer. Probably not the biggest reason to release the tool, but still.

Hey Fox - check out this new henhouse, isn't it sweet? it's got space for 32 billion hens. oh, and here's a copy of the key (which also works in every other henhouse on earth). can you make sure you lock up when you leave? thanks.

Way to name a product. Your information isn't "secured" or "protected", it's just hidden because it's out of sight. Don't look under the rug, NSA, you'll find the skeleton.

I don't care to read the details and evaluate the actual level of security here (others have pointed out the irony of facebook writing a security toolset) - it just struck me as funny that the name of the tool strongly implies security through obscurity.

Way to name a product. Your information isn't "secured" or "protected", it's just hidden because it's out of sight. Don't look under the rug, NSA, you'll find the skeleton.

I don't care to read the details and evaluate the actual level of security here (others have pointed out the irony of facebook writing a security toolset) - it just struck me as funny that the name of the tool strongly implies security through obscurity.